johan
/
dealspace
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dealspace/lib/rbac_test.go

652 lines
16 KiB
Go
Raw Blame History

package lib
import (
"testing"
"time"
"github.com/google/uuid"
)
func TestCheckAccess(t *testing.T) {
db, cfg := testDB(t)
// Create owner
ownerID := uuid.New().String()
now := time.Now().UnixMilli()
owner := &User{
UserID: ownerID,
Email: "owner@test.com",
Name: "Owner",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, owner)
projectID := testProject(t, db, cfg, ownerID)
// IB admin can read
err := CheckAccessRead(db, ownerID, projectID, "")
if err != nil {
t.Errorf("IB admin should have read access: %v", err)
}
// IB admin can write
err = CheckAccessWrite(db, ownerID, projectID, "")
if err != nil {
t.Errorf("IB admin should have write access: %v", err)
}
// IB admin can delete
err = CheckAccessDelete(db, ownerID, projectID, "")
if err != nil {
t.Errorf("IB admin should have delete access: %v", err)
}
// Create seller user
sellerID := testUser(t, db, cfg, projectID, RoleSellerMember)
// Seller can read
err = CheckAccessRead(db, sellerID, projectID, "")
if err != nil {
t.Errorf("seller should have read access: %v", err)
}
// Seller can write
err = CheckAccessWrite(db, sellerID, projectID, "")
if err != nil {
t.Errorf("seller should have write access: %v", err)
}
// Create buyer user (read-only)
buyerID := testUser(t, db, cfg, projectID, RoleBuyerMember)
// Buyer can read
err = CheckAccessRead(db, buyerID, projectID, "")
if err != nil {
t.Errorf("buyer should have read access: %v", err)
}
// Buyer cannot write
err = CheckAccessWrite(db, buyerID, projectID, "")
if err != ErrAccessDenied {
t.Errorf("buyer should NOT have write access, got: %v", err)
}
}
func TestRoleHierarchy(t *testing.T) {
// Verify hierarchy levels: buyer < seller_member < seller_admin < ib_analyst < ib_member < ib_admin
expected := []struct {
role string
level int
}{
{RoleObserver, 10},
{RoleBuyerMember, 30},
{RoleBuyerAdmin, 40},
{RoleSellerMember, 50},
{RoleSellerAdmin, 70},
{RoleIBMember, 80},
{RoleIBAdmin, 100},
}
for _, tc := range expected {
level, ok := RoleHierarchy[tc.role]
if !ok {
t.Errorf("role %s not in hierarchy", tc.role)
continue
}
if level != tc.level {
t.Errorf("role %s: expected level %d, got %d", tc.role, tc.level, level)
}
}
// Verify ordering
if RoleHierarchy[RoleBuyerMember] >= RoleHierarchy[RoleSellerMember] {
t.Error("buyer should be lower than seller_member")
}
if RoleHierarchy[RoleSellerMember] >= RoleHierarchy[RoleSellerAdmin] {
t.Error("seller_member should be lower than seller_admin")
}
if RoleHierarchy[RoleSellerAdmin] >= RoleHierarchy[RoleIBMember] {
t.Error("seller_admin should be lower than ib_member")
}
if RoleHierarchy[RoleIBMember] >= RoleHierarchy[RoleIBAdmin] {
t.Error("ib_member should be lower than ib_admin")
}
}
func TestCanGrantRole(t *testing.T) {
tests := []struct {
granter string
target string
canDo bool
}{
// IB admin can grant anything
{RoleIBAdmin, RoleIBAdmin, true},
{RoleIBAdmin, RoleIBMember, true},
{RoleIBAdmin, RoleSellerAdmin, true},
{RoleIBAdmin, RoleBuyerMember, true},
// IB member can grant lower roles
{RoleIBMember, RoleIBAdmin, false},
{RoleIBMember, RoleIBMember, true},
{RoleIBMember, RoleSellerAdmin, true},
// Seller admin can grant seller and buyer roles
{RoleSellerAdmin, RoleIBMember, false},
{RoleSellerAdmin, RoleSellerAdmin, true},
{RoleSellerAdmin, RoleSellerMember, true},
{RoleSellerAdmin, RoleBuyerMember, true},
// Buyer cannot grant higher roles
{RoleBuyerAdmin, RoleSellerMember, false},
{RoleBuyerAdmin, RoleBuyerAdmin, true},
{RoleBuyerAdmin, RoleBuyerMember, true},
}
for _, tc := range tests {
result := CanGrantRole(tc.granter, tc.target)
if result != tc.canDo {
t.Errorf("CanGrantRole(%s, %s) = %v, want %v", tc.granter, tc.target, result, tc.canDo)
}
}
}
func TestGrantRevoke(t *testing.T) {
db, cfg := testDB(t)
// Create admin
adminID := uuid.New().String()
now := time.Now().UnixMilli()
admin := &User{
UserID: adminID,
Email: "admin@test.com",
Name: "Admin",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, admin)
projectID := testProject(t, db, cfg, adminID)
// Create user with no access
userID := uuid.New().String()
user := &User{
UserID: userID,
Email: "user@test.com",
Name: "User",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, user)
// Verify no access
err := CheckAccessRead(db, userID, projectID, "")
if err != ErrAccessDenied {
t.Error("user should have no access initially")
}
// Grant access
accessID := uuid.New().String()
access := &Access{
ID: accessID,
ProjectID: projectID,
UserID: userID,
Role: RoleBuyerMember,
Ops: "r",
CanGrant: false,
GrantedBy: adminID,
GrantedAt: now,
}
if err := AccessGrant(db, access); err != nil {
t.Fatalf("AccessGrant: %v", err)
}
// Verify access granted
err = CheckAccessRead(db, userID, projectID, "")
if err != nil {
t.Errorf("user should have read access after grant: %v", err)
}
// Revoke access
if err := AccessRevoke(db, accessID, adminID); err != nil {
t.Fatalf("AccessRevoke: %v", err)
}
// Verify access revoked
err = CheckAccessRead(db, userID, projectID, "")
if err != ErrAccessDenied {
t.Error("user should have no access after revoke")
}
}
func TestIsBuyerRole(t *testing.T) {
buyers := []string{RoleBuyerAdmin, RoleBuyerMember}
nonBuyers := []string{RoleIBAdmin, RoleIBMember, RoleSellerAdmin, RoleSellerMember, RoleObserver}
for _, role := range buyers {
if !IsBuyerRole(role) {
t.Errorf("%s should be buyer role", role)
}
}
for _, role := range nonBuyers {
if IsBuyerRole(role) {
t.Errorf("%s should NOT be buyer role", role)
}
}
}
func TestGetUserHighestRole(t *testing.T) {
db, cfg := testDB(t)
// Create admin and project
adminID := uuid.New().String()
now := time.Now().UnixMilli()
admin := &User{
UserID: adminID,
Email: "admin@test.com",
Name: "Admin",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, admin)
projectID := testProject(t, db, cfg, adminID)
// Admin's highest role should be ib_admin
role, err := GetUserHighestRole(db, adminID, projectID)
if err != nil {
t.Fatalf("GetUserHighestRole: %v", err)
}
if role != RoleIBAdmin {
t.Errorf("expected ib_admin, got %s", role)
}
// Create user with multiple roles
userID := uuid.New().String()
user := &User{
UserID: userID,
Email: "multi@test.com",
Name: "Multi Role User",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, user)
// Grant buyer role
AccessGrant(db, &Access{
ID: uuid.New().String(),
ProjectID: projectID,
UserID: userID,
Role: RoleBuyerMember,
Ops: "r",
GrantedBy: adminID,
GrantedAt: now,
})
// Grant seller role (higher)
AccessGrant(db, &Access{
ID: uuid.New().String(),
ProjectID: projectID,
UserID: userID,
Role: RoleSellerMember,
Ops: "rw",
GrantedBy: adminID,
GrantedAt: now,
})
// Highest should be seller_member
role, err = GetUserHighestRole(db, userID, projectID)
if err != nil {
t.Fatalf("GetUserHighestRole: %v", err)
}
if role != RoleSellerMember {
t.Errorf("expected seller_member (highest), got %s", role)
}
// User with no access
noAccessID := uuid.New().String()
noAccessUser := &User{
UserID: noAccessID,
Email: "noaccess@test.com",
Name: "No Access",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, noAccessUser)
_, err = GetUserHighestRole(db, noAccessID, projectID)
if err != ErrAccessDenied {
t.Errorf("expected ErrAccessDenied for user with no access, got %v", err)
}
}
func TestWorkstreamAccess(t *testing.T) {
db, cfg := testDB(t)
// Create admin and project
adminID := uuid.New().String()
now := time.Now().UnixMilli()
admin := &User{
UserID: adminID,
Email: "admin@test.com",
Name: "Admin",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, admin)
projectID := testProject(t, db, cfg, adminID)
// Create user with access to specific workstream only
userID := uuid.New().String()
user := &User{
UserID: userID,
Email: "ws@test.com",
Name: "Workstream User",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, user)
workstreamID := "workstream-1"
AccessGrant(db, &Access{
ID: uuid.New().String(),
ProjectID: projectID,
WorkstreamID: workstreamID,
UserID: userID,
Role: RoleSellerMember,
Ops: "rw",
GrantedBy: adminID,
GrantedAt: now,
})
// User has access to their workstream
_, err := CheckAccess(db, userID, projectID, workstreamID, "r")
if err != nil {
t.Errorf("user should have access to their workstream: %v", err)
}
// User should NOT have access to different workstream
_, err = CheckAccess(db, userID, projectID, "different-workstream", "r")
if err != ErrAccessDenied {
t.Error("user should NOT have access to different workstream")
}
}
// ---- Additional tests for super_admin, IsSuperAdmin, and ValidateOrgDomain ----
func TestSuperAdminBypassesCheckAccess(t *testing.T) {
db, cfg := testDB(t)
// Create a regular user who owns a project
ownerID := uuid.New().String()
now := time.Now().UnixMilli()
owner := &User{
UserID: ownerID,
Email: "owner@test.com",
Name: "Owner",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, owner)
projectID := testProject(t, db, cfg, ownerID)
// Create super_admin user (no explicit project access)
superAdminID := uuid.New().String()
superAdmin := &User{
UserID: superAdminID,
Email: "superadmin@test.com",
Name: "Super Admin",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, superAdmin)
// Grant super_admin role on a dummy project (super_admin is global but stored per project)
dummyProjectID := uuid.New().String()
AccessGrant(db, &Access{
ID: uuid.New().String(),
ProjectID: dummyProjectID,
UserID: superAdminID,
Role: RoleSuperAdmin,
Ops: "rwdm",
CanGrant: true,
GrantedBy: "system",
GrantedAt: now,
})
// Verify super_admin is recognized
isSA, err := IsSuperAdmin(db, superAdminID)
if err != nil {
t.Fatalf("IsSuperAdmin failed: %v", err)
}
if !isSA {
t.Error("User with super_admin role should be recognized as super admin")
}
// super_admin should have full access to any project without explicit grant
access, err := CheckAccess(db, superAdminID, projectID, "", "r")
if err != nil {
t.Errorf("super_admin should have read access: %v", err)
}
if access == nil {
t.Fatal("CheckAccess should return an Access object for super_admin")
}
if access.Role != RoleSuperAdmin {
t.Errorf("Access role should be super_admin, got %s", access.Role)
}
if access.Ops != "rwdm" {
t.Errorf("super_admin should have rwdm ops, got %s", access.Ops)
}
// Test all operations
_, err = CheckAccess(db, superAdminID, projectID, "", "w")
if err != nil {
t.Errorf("super_admin should have write access: %v", err)
}
_, err = CheckAccess(db, superAdminID, projectID, "", "d")
if err != nil {
t.Errorf("super_admin should have delete access: %v", err)
}
_, err = CheckAccess(db, superAdminID, projectID, "", "m")
if err != nil {
t.Errorf("super_admin should have manage access: %v", err)
}
// Test convenience functions
err = CheckAccessRead(db, superAdminID, projectID, "")
if err != nil {
t.Errorf("super_admin CheckAccessRead should pass: %v", err)
}
err = CheckAccessWrite(db, superAdminID, projectID, "")
if err != nil {
t.Errorf("super_admin CheckAccessWrite should pass: %v", err)
}
err = CheckAccessDelete(db, superAdminID, projectID, "")
if err != nil {
t.Errorf("super_admin CheckAccessDelete should pass: %v", err)
}
}
func TestIsSuperAdmin(t *testing.T) {
db, _ := testDB(t)
now := time.Now().UnixMilli()
// Create regular user
regularID := uuid.New().String()
regular := &User{
UserID: regularID,
Email: "regular@test.com",
Name: "Regular User",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, regular)
// Create super admin user
superID := uuid.New().String()
superUser := &User{
UserID: superID,
Email: "super@test.com",
Name: "Super User",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, superUser)
// Grant super_admin role
AccessGrant(db, &Access{
ID: uuid.New().String(),
ProjectID: "any-project",
UserID: superID,
Role: RoleSuperAdmin,
Ops: "rwdm",
CanGrant: true,
GrantedBy: "system",
GrantedAt: now,
})
// Test IsSuperAdmin
isSA, err := IsSuperAdmin(db, superID)
if err != nil {
t.Fatalf("IsSuperAdmin failed: %v", err)
}
if !isSA {
t.Error("User with super_admin role should return true")
}
isRegularSA, err := IsSuperAdmin(db, regularID)
if err != nil {
t.Fatalf("IsSuperAdmin for regular user failed: %v", err)
}
if isRegularSA {
t.Error("Regular user should not be super admin")
}
// Test with ib_admin (should NOT be super admin)
ibAdminID := uuid.New().String()
ibAdmin := &User{
UserID: ibAdminID,
Email: "ibadmin@test.com",
Name: "IB Admin",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, ibAdmin)
AccessGrant(db, &Access{
ID: uuid.New().String(),
ProjectID: "test-project",
UserID: ibAdminID,
Role: RoleIBAdmin,
Ops: "rwdm",
CanGrant: true,
GrantedBy: "system",
GrantedAt: now,
})
isIBSA, err := IsSuperAdmin(db, ibAdminID)
if err != nil {
t.Fatalf("IsSuperAdmin for ib_admin failed: %v", err)
}
if isIBSA {
t.Error("ib_admin should NOT be super admin")
}
}
func TestIsSuperAdminRevokedGrant(t *testing.T) {
db, _ := testDB(t)
now := time.Now().UnixMilli()
// Create user
userID := uuid.New().String()
user := &User{
UserID: userID,
Email: "revoke-test@test.com",
Name: "Revoke Test",
Password: "$2a$10$test",
Active: true,
CreatedAt: now,
UpdatedAt: now,
}
UserCreate(db, user)
// Grant and then revoke super_admin
accessID := uuid.New().String()
AccessGrant(db, &Access{
ID: accessID,
ProjectID: "any-project",
UserID: userID,
Role: RoleSuperAdmin,
Ops: "rwdm",
CanGrant: true,
GrantedBy: "system",
GrantedAt: now,
})
// Should be super admin
isSA, _ := IsSuperAdmin(db, userID)
if !isSA {
t.Error("Should be super admin before revocation")
}
// Revoke the grant
AccessRevoke(db, accessID, "system")
// Should no longer be super admin
isSA, _ = IsSuperAdmin(db, userID)
if isSA {
t.Error("Should NOT be super admin after revocation")
}
}
func TestSuperAdminCanGrantAnyRole(t *testing.T) {
// super_admin (level 200) should be able to grant any role
tests := []struct {
target string
canDo bool
}{
{RoleSuperAdmin, true},
{RoleIBAdmin, true},
{RoleIBMember, true},
{RoleSellerAdmin, true},
{RoleSellerMember, true},
{RoleBuyerAdmin, true},
{RoleBuyerMember, true},
{RoleObserver, true},
}
for _, tc := range tests {
result := CanGrantRole(RoleSuperAdmin, tc.target)
if result != tc.canDo {
t.Errorf("CanGrantRole(super_admin, %s) = %v, want %v", tc.target, result, tc.canDo)
}
}
}
Reference in New Issue View Git Blame Copy Permalink